NOW stock down 35% YTD as ServiceNow completes largest acquisition to date: Is the Armis deal worth the price?

ServiceNow (NYSE: NOW) completed its acquisition of Armis on April 20, 2026, paying approximately $7.75 billion in cash for the cyber exposure management company in what amounts to the most structurally significant security deal the enterprise workflow giant has executed. The transaction closes within four months of its announcement and arrives just weeks after ServiceNow wrapped up its acquisition of identity intelligence firm Veza in March 2026. Together, the two deals are designed to more than triple ServiceNow’s addressable market in security and risk solutions, stacking real-time asset visibility on top of identity access mapping and routing both signal streams through ServiceNow’s AI-driven workflow engine.

The strategic logic here is architectural rather than opportunistic. For years, enterprise security has operated as a collection of point solutions that do not talk to each other in any operationally useful way. Detection platforms identify risk but cannot remediate. Remediation tools act without full situational context. The gap between the two has been the dominant failure mode in enterprise cybersecurity, and it has grown sharper as machine identities, operational technology devices, and autonomous AI agents have multiplied at a pace that conventional security tooling was never designed to handle. ServiceNow’s acquisition of Armis is an attempt to structurally close that gap rather than paper over it with another dashboard.

What does the Armis acquisition add to ServiceNow’s security platform that it could not build organically?

Armis brings continuous, non-invasive discovery and tracking of nearly seven billion connected devices in real time, spanning operational technology, Internet of Things hardware, medical devices, physical AI infrastructure, code environments, and cloud deployments. That breadth of asset intelligence is genuinely difficult to replicate organically. Building equivalent coverage would require years of device fingerprinting, protocol-level telemetry development, and enterprise deployment at scale. Armis already has it, is trusted by nine of the Fortune 10, and counts more than 35 percent of the Fortune 100 among its customer base.

The Veza acquisition that preceded this one operates on a complementary axis. Where Armis tracks every physical and logical asset in an enterprise environment, Veza’s Access Graph maps every permission held by every human identity, machine identity, and AI agent across the organization’s systems. Machine identities now outnumber human identities by more than 80 to one, and nearly half carry sensitive or privileged access rights that most organizations struggle to see clearly. Lateral movement attacks exploit exactly this blind spot. ServiceNow’s thesis is that feeding both the Armis asset graph and the Veza identity graph into its Context Engine creates an organizational intelligence layer that neither product could deliver independently.

The competitive implications for incumbent security vendors deserve attention. Palo Alto Networks, CrowdStrike, and Microsoft have each been building toward platform consolidation in the security market, but their starting positions are different. CrowdStrike is strong in endpoint and identity threat detection but has limited reach into OT and IoT environments. Palo Alto Networks has broader coverage but its workflow remediation capabilities remain more limited relative to ServiceNow’s core automation competency. Microsoft’s security stack is deeply embedded in enterprise environments but is fundamentally tied to its own identity and device ecosystem. ServiceNow’s advantage is that its workflow and remediation infrastructure is already embedded across enterprise IT, HR, and operations functions, meaning the jump from risk identification to remediation action does not require crossing an organizational or platform boundary.

How does the Armis deal reshape the competitive dynamics in enterprise cyber exposure management?

The cyber exposure management category has been contested by specialist players including Tenable and Claroty, both of which have built significant positions in vulnerability management and OT security respectively. Armis sat at the intersection of these two sub-markets, which made it attractive to ServiceNow precisely because the combination spans the full kill chain from asset discovery through to policy-bounded automated remediation. With ServiceNow’s go-to-market scale behind it, Armis Centrix is no longer competing as a specialist point solution. It competes as the asset intelligence layer of a platform already embedded across the Fortune 500.

For Tenable, this creates a material long-term pressure point. Tenable’s vulnerability management business has historically been strong in IT environments but has faced challenges extending coverage to OT and IoT assets at enterprise scale. The Armis acquisition, combined with ServiceNow’s Q4 2025 performance that was described as its largest quarter ever for OT, signals that ServiceNow is now competing directly in territory Tenable has treated as an expansion opportunity. The second-order effect is that customers running both ServiceNow and Armis, many of whom are also Tenable customers, now have a consolidated alternative that handles discovery, prioritization, and remediation within a single platform and audit trail.

The Armis acquisition is also a direct statement of intent regarding the agentic AI era. As enterprises deploy autonomous AI agents that interact with systems, data, and devices, the attack surface expands in ways that endpoint or identity-centric security tools were not designed to address. Armis has spent years building telemetry for exactly these kinds of environments, including medical devices and physical AI infrastructure. ServiceNow’s establishment of an AI Center for Cyber Defense alongside this acquisition suggests the company is positioning the combined platform not just for today’s enterprise security requirements but for the substantially more complex environments that autonomous AI deployment will create over the next three to five years.

What are the integration execution risks that ServiceNow faces in absorbing two major security acquisitions within the same quarter?

The execution risk here is real and should not be dismissed. ServiceNow completed the Veza acquisition in March 2026 and the Armis acquisition the following month, absorbing two substantial organizations and their engineering teams within weeks of each other. Integration at this pace strains product roadmap alignment, customer-facing account management continuity, and internal culture. Armis has operated as an independent company with its own product strategy, sales motion, and engineering culture since its founding. The identity of an independent security specialist and the identity of a workflow automation business unit are not automatically compatible, and the history of large technology acquisitions is full of cases where the acquirer’s pace of integration undermined the product quality that made the target valuable in the first place.

ServiceNow has said that Armis Centrix continues to operate as a standalone solution and will remain available independently while deeper platform integration is developed over time. That framing is sensible from a customer retention standpoint, but it also means ServiceNow is managing parallel roadmaps for a period. The deeper integration that would fully realize the platform thesis, where Armis asset intelligence flows continuously into ServiceNow’s Context Engine and triggers automated remediation workflows without manual handoff, is described as forthcoming rather than available today. Investors and customers should calibrate expectations accordingly.

The capital structure dimension is also worth noting. ServiceNow funded the $7.75 billion acquisition through a combination of cash on hand and debt. Armis is ServiceNow’s largest acquisition by reported transaction value, and with Veza closing just weeks earlier, the company has deployed substantial capital in a compressed window at a time when its stock has declined approximately 33 to 37 percent year-to-date. NOW shares were trading around $98 to $99 on April 20, sitting roughly 53 percent below the 52-week high of around $209 from July 2025. ServiceNow reports earnings on April 22, 2026, with analysts expecting $0.95 earnings per share and $3.75 billion in revenue. The Armis close lands two days before a closely watched earnings print, and the market will be looking for management to frame the capital allocation logic of both acquisitions within a coherent long-term margin and growth narrative.

How does the market reaction to the Armis acquisition close reflect investor sentiment on ServiceNow’s security platform ambitions?

The stock’s year-to-date decline of approximately 35 percent reflects a broader SaaS derating rather than a specific verdict on ServiceNow’s strategic direction. The stock has traded within a 52-week range of roughly $81 to $211, and at current levels it sits well below historical valuation multiples, with the current price-to-earnings ratio of around 60x substantially lower than the five-year median. TD Cowen maintained a Buy rating on ServiceNow while lowering its price target to $140 from $185, with analyst checks described as remaining constructive on the company’s fundamentals.

The $7.75 billion acquisition price for Armis reflects a meaningful premium in an environment where many enterprise software valuations have compressed. Whether the market concludes that ServiceNow overpaid will depend substantially on the pace of cross-sell conversion among the existing customer overlap, where both companies have significant Fortune 100 presence, and on ServiceNow’s ability to demonstrate accelerating security and risk annual contract value growth in the quarters ahead. The security and risk business crossed $1 billion in annual contract value in Q3 of last year on organic growth alone. The question now is how quickly the Armis and Veza additions move that number.

Key takeaways on what the Armis acquisition means for ServiceNow, its competitors, and the enterprise security market

• ServiceNow has completed the $7.75 billion acquisition of Armis, adding real-time visibility and management of nearly seven billion connected devices, including OT, IoT, medical devices, and physical AI infrastructure, to its platform.
• Combined with the Veza identity intelligence acquisition completed in March 2026, ServiceNow now operates an asset graph and an identity graph that together are intended to power a closed-loop security workflow from exposure detection through policy-bounded automated remediation.
• The acquisition is expected to more than triple ServiceNow’s total addressable market for security and risk solutions, a business unit that crossed $1 billion in annual contract value organically in Q3 2025.
• Armis is trusted by nine of the Fortune 10 and more than 35 percent of the Fortune 100, with significant customer overlap with existing ServiceNow deployments, creating a near-term cross-sell opportunity that does not require building new enterprise relationships from scratch.
• Competitive pressure on Tenable, Claroty, CrowdStrike, and Palo Alto Networks intensifies, particularly in OT and IoT security segments where specialist coverage has historically been fragmented.
• Full platform integration between Armis Centrix and ServiceNow’s Context Engine and AI workflows is described as forthcoming rather than immediately available, which is the primary execution risk to monitor.
• ServiceNow funded the acquisition through cash and debt, completing two large security acquisitions within the same quarter while the stock trades approximately 35 percent below its year-start level, adding scrutiny to capital allocation framing at the April 22 earnings call.
• The establishment of a global AI Center for Cyber Defense signals that ServiceNow is positioning for the expanded attack surface that enterprise agentic AI deployment will create, not just for current enterprise security requirements.
• The acquisition positions ServiceNow as a direct rival to Microsoft’s security stack in large enterprise accounts, competing on breadth of asset visibility and workflow automation depth rather than identity ecosystem lock-in.
• ServiceNow’s architectural advantage, an AI workflow engine already embedded across enterprise functions, means remediation action does not require crossing organizational or platform boundaries, a structural differentiation that standalone security vendors cannot easily replicate.